1. Field of the Invention
Embodiments of the invention generally relate to networks and, more specifically, to a method and apparatus for host authentication in a network implementing network access control.
2. Description of the Related Art
Presently, network operators face the threat of their managed systems being compromised by misuse, misconfiguration, and malicious access. Network Access Control (NAC) is a process designed to reduce security incidents and increase compliance by enforcing security policies as a prerequisite for access to managed networks. While there several approaches to NAC, dynamic host configuration protocol (DHCP)-based NAC is becoming more popular. DHCP-based NAC is easier to integrate into the network than other NAC technologies and does not have any extra hardware requirements.
In DHCP-based NAC, a NAC component is integrated with a DHCP server. A device accesses the network and sends a DHCP request for internet protocol (IP) address assignment. The device typically includes an agent that serves as a policy decision point. When a device requests an IP address, the DCHP server queries the agent on the device to ensure compliance with established security policies. If the device complies with the security policies, the DHCP server assigns the device an IP address, giving it access to the appropriate network. If the device does not comply with the security policies, the device may be blocked from the network or kept in quarantine (e.g., assigned to a special virtual local area network (VLAN)).
There are some drawbacks to the conventional DHCP-based NAC described above. Notably, a rogue device may evade DHCP-based NAC by accessing the network and assuming a static IP address. Devices with static IP addresses do not interact with the DHCP server. Alternatively, a rogue device may assume the IP address of an authentic device that was leased an IP address from the DHCP server. In either case, the rogue device can connect to the network without satisfying the established security policies. Such a rogue device can exploit network resources or otherwise deleteriously affect network security. Accordingly, there exists a need in the art for authentication of devices in a network implementing NAC.